Mind the Gap (Assessment): Preparing for CMMC Rollout

Though the Cybersecurity Maturity Model Certification (CMMC) requirement has not yet been codified in active contracts, the groundwork is laid and we’ve received reports that the DoD is already considering contractors’ CMMC readiness when reviewing bids on solicitations despite it not being a formal requirement. When reviewing bids for multi-year contracts, the DoD wants to ensure that the suppliers they choose aren’t just meeting today’s requirements—they’re actively planning for tomorrow’s. Here's what to expect at every stage of CMMC rollout, starting now.

Phase 0: Preparing Ahead of the 48 CFR Final Rule

We’re currently in Phase 0—a critical and often underestimated period where the most impactful actions can be taken before CMMC becomes a gatekeeper to contracts. The December 2024 publication of the 32 CFR rule formally established the CMMC program’s structure. All that remains is finalization of the 48 CFR rule, which will empower the DoD to mandate certification in solicitations. But by the time that happens, preparation windows will close quickly.

Here’s why this matters:

• CMMC Level 2, which will apply to most contractors handling Controlled Unclassified Information (CUI), requires full implementation of all 110 NIST SP 800-171 (Rev. 2) controls.

• These are not overnight changes. Controls like multi-factor authentication, endpoint detection and response, logging & monitoring, and account management policies can take months to implement and document effectively.

• As the final rule approaches, the demand for CMMC-qualified assessors and consultants will spike—and so will wait times.

This is the time to engage in a comprehensive gap assessment, develop your System Security Plan (SSP), and document any Plans of Action and Milestones (POA&Ms). Even though the initial phase of CMMC rollout requires only Level 1 and Level 2 self-assessments, documentation and defensibility remain essential.

Early action also demonstrates cybersecurity maturity and reliability to partners and primes—many of whom are already demanding subcontractor readiness, regardless of formal rule status. Companies that treat this phase seriously will be first in line for certifications—and first eligible to compete when contracts start including CMMC clauses.

Phase 1: Level 1 & Level 2 Self-Assessments

Phase 1 of CMMC rollout is expected to begin in late 2025 or early 2026 upon finalization of 48 CFR 252.204-7021. Specifically, it will begin 60 days after the final version of the rule is published and continue for 12 months thereafter. During this time, the DoD will begin inserting CMMC Level 1 and Level 2 Self-Assessments as requirements into contracts. This phase will separate proactive contractors from those caught off guard.

While the DoD Chief Information Officer (CIO) website indicates Level 2 self-assessments will be permitted during this time, the final 32 CFR Rule specifies the DoD “may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts” during Phase 1 (32 CFR 170(e)(1)). Additionally, a recent memo from the DoD has indicated that, in the long term, Level 2 self-assessments will not be permitted for any organization handling CUI which falls under the “Defense” organizational index grouping within the NARA CUI registry.

With this in mind, organizations should have performed a credible internal or third-party pre-assessment and submitted a self-assessment score to the Supplier Performance Risk System (SPRS) once Phase 1 begins. Ensuring your organization’s self-assessment results are defensible is crucial, as the U.S. Department of Justice has been cracking down on DoD suppliers that have falsely attested to compliance with DFARS cybersecurity requirements. The DoJ has issued substantial fines to organizations under the False Claims Act, and the subsequent reputational damage is incalculable.

Phase 2: Level 2 Certification Required

12 months after the start of Phase 1, Phase 2 will kick off and applicable solicitations will begin requiring Level 2 certification achieved through an audit by a Certified Third-Party Assessor Organization (C3PAO). Organizations bidding on these contracts must have the appropriate certification at the time of award or risk being deemed ineligible.

Preparing for a C3PAO audit can be an intimidating process, which is why we recommend organizations start sooner than later. Taking the time to ensure required controls are implemented and well-documented makes the audit process much smoother. While organizations will have the opportunity to close some gaps identified during an audit, not all of the NIST SP 800-171 requirements are eligible to be addressed via POA&Ms and will result in immediate failure if they aren’t met.

Audits are time-consuming, expensive, and can be incredibly stressful, so laying a solid foundation to go into a C3PAO assessment with full confidence in your compliance provides peace of mind and can avoid costly missteps in the form of the price tag for reassessment and lost opportunities due to non-compliance.

Phase 3: Introducing Level 3

Phase 3 will begin 24 months after Phase 1 and will introduce CMMC Level 3 requirements for contractors with access to certain types of highly sensitive CUI. Per the memo mentioned above, DoD guidance has indicated this will include:

• “CUI associated with a breakthrough, unique, and/or advanced technology;

• “Significant aggregation or compilation of CUI in a single information system or IT environment; and

• “Ubiquity - when an attack on a single information system or IT environment would result in widespread vulnerability across DoD.”

Level 3 will extend beyond the 110 requirements of Level 2 through inclusion of 35 enhanced requirements defined within NIST SP 800-172. These requirements are intended to provide additional protection against advanced persistent threat (APT) actors. In order to achieve Level 3 certification, organizations will need to undergo a Level 2 C3PAO audit followed by a DCMA DIBCAC assessment of the additional Level 3 requirements.

Organizations which anticipate they may be subject to Level 3 should start preparing for Level 2 now and undergo a C3PAO audit in line with the Level 2 rollout. While preparing for Level 2, keeping an eye on the enhanced requirements will help ensure organizations are ready to achieve certification once Level 3 becomes a requirement.

Phase 4: Full Implementation

The final phase, anticipated 36 months after the 48 CFR rule is finalized, will see CMMC certification become mandatory for all new DoD contracts. There will be no more leeway—companies without certification will not be able to bid. By this point, cybersecurity maturity must be a routine part of business operations, not a project in-progress.

Assessment cycles will begin, with recertification every three years through Level 2 third-party assessments and annual self-attestations posted in SPRS. Internal audit processes, continuous monitoring, and staff training must become standard operating procedures.

How We Can Help You Prepare for CMMC Rollout

At Triumvirate Cybersecurity, we see CMMC as more than compliance—early adoption is a strategic market differentiator. As a CyberAB RPO, we work side-by-side with defense contractors to implement real-world, audit-ready solutions that ensure readiness through every phase of the rollout.

Don’t wait for the 48 CFR rule to act. Start now, lead with confidence, and secure your place in the next generation of the defense supply chain.